Along with recent development of a communication network, a study (information security) for realizing a security function has been carried out extensively by encryption processing algorithm and protocol. There is a variety of encryption processing algorithms, which can be roughly classified into a public key encryption method and a shared-key encryption method. As disclosed in Non-Patent Document 1, when emphasis is placed on simplicity of implementation and processing speed, the public key encryption method is used more commonly than the shared-key encryption method. There is well known, as an algorithm of the shared-key encryption method, a shared-key block encryption (e.g., DES (Data Encryption Standard)). The shared-key block encryption is composed of two algorithms: encryption E and decryption E^{−1}. With respect to a given key k, the decryption E^{−1} is the inverse function of the encryption E, and the following relationship:E^{−1}(E(m))=m (m is a given block)is satisfied.
The input block of an encryption algorithm and output block of a decryption algorithm are referred to as “plain text”, and output block of the encryption algorithm and input block of the decryption algorithm are referred to as “cipher text”. There is known, as a mechanism for encrypting a plain text longer than the block length, an encryption use mode which is treated as a known technique in, e.g., Patent Document 1: JP 2004-45641A “Encryption processing device and method therefor”.
For example, according to Patent Document 1, a CFB (cipher feedback) mode which is one mode of the encryption use modes has a structure shown in FIG. 5. That is, IV (initial vector) data is retained by a register 2a in the initial state, and the IV data is then encrypted in a DES encryption calculation section 1a, followed by output of encrypted data E. Subsequently, random number data R is extracted from data corresponding to the upper k bits of the encrypted data E, and the extracted random number data R and a k-bit message M are XORed to generate a k-bit cipher text C. The generated k-bit cipher text C is added to the lower bit side of the IV data retained in the register 2a, and the resultant data is retained in the register 2a with its upper k-bit data discarded. Random data of a cipher text to be transmitted next time is generated using this updated data.
On the reception side of the cipher text C, the IV data is retained in the register 2b in the initial state, the IV data is then encrypted in a DES encryption calculation section 1b, followed by output of the encrypted data E. Subsequently, the random number data R is extracted from data corresponding to the upper k bits of the encrypted data E, and the extracted random number data R and a k-bit cipher text C are XORed to restore a k-bit message M. The received k-bit cipher text C is added to the lower bit side of the IV data retained in the register 2b, and the resultant data is retained in the register 2a with the its upper k-bit data discarded. Random data to be XORed with a cipher text to be received next time is generated using this updated data.
Similarly, according to Patent Document 1, an OFB (output feedback) mode which is one mode of the encryption use modes has a structure shown in FIG. 6. That is, in the OFB mode, 64-bit IV data is retained by a register 2a in the initial state, and the IV data is then encrypted in a DES encryption calculation section 1a, followed by output of encrypted data E. Subsequently, random number data R is extracted, by a data extraction section 4a, from data corresponding to the upper k (k is an integer from 0 to 64) bits of the encrypted data E, and the extracted random number data R and a message M are XORed in a calculation circuit 3a. From the calculation result, a k-bit cipher text C is obtained.
The random data R is added to the lower bit side of the IV data retained in the register 2a, and data corresponding to the upper k bits of the resultant data is discarded. Thus obtained 64-bit data is newly retained in the register 2a and is used for generating random data of a cipher text to be transmitted next time.
Also on the reception side of the cipher text C, the same random data R is generated by the same configuration, and the generated random data R and cipher text C are XORed to restore the original message M.
The message authentication is a procedure that verifies the identity of a message, i.e., data to be exchanged between a transmitter and receiver to confirm that the message has not been falsified by an illegal activity using a computer virus or hacking attack. A typical method of the message authentication is one using Message Authentication Codes (MAC) generated using a one-way hash calculation. The one-way hash value of a message m:x=H(m)is calculated and the obtained x is stored. If the message m is replaced by a message m′ by falsification,x≠H(m′)is satisfied, so that it is understood that the message has been falsified.
The one-way hash calculation is a calculation that compresses a message having a given length into a message with a specified length. The original message can never be restored from the compressed message.
Patent Document 1: JP 2004-45641A (pages 29 to 31)
Non-Patent Document 1: “Software implementation of FEAL-NX” written by Hiroaki Ootsuka and Hiroki Ueda (NTT)